17 Impersonation in SharePoint

Download Report

Transcript 17 Impersonation in SharePoint

Impersonation in SharePoint
• Developers use impersonation when an application
needs to perform a task for which the current user does
not have permissions
example:
• accessing a master list on the WSS site on which the
user might not be a member
• creating a list when a user only has reader privileges
• using windows authentication to access SQL
database for which the currently logged in user does
not have permissions
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Impersonation – Web.config
• ASP.Net web.config allows various settings,
<identity impersonate="false"/> - runs as process user
<identity impersonate=“true"/> - impersonates the currently
logged user
<identity impersonate=“true“ userName=“spstraining\admin”
password=“testpass”/> - impersonates the user specified
SharePoint always defaults to impersonating the
currently logged in user
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Impersonation – WindowsIdentity
• In code, we can find out the user under which the code
runs:
Response.Write("Process runs as” +
WindowsIdentity.GetCurrent().Name);
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Impersonation – WindowsImpersonationContext
• In code, we can create WindowsImpersonationContext
for a specific user:
//create impersonation context (details are in SDK)
WindowsImpersonationContext wic
= CreateIdentity(user, domain, password).Impersonate();
//code that will run under impersonated user
//Create a list
wic.Undo(); //revert back to currently logged in user
• Kerberos delegation needs to be on if trying to connect
to resources on different servers
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Impersonation – The New SharePoint Way
SPSecurity.RunWithElevatedPrivileges(delegate()
{
// do things assuming the permission of the "system account";
using (SPSite site = new SPSite(web.Site.ID))
{
Response.Write("content database name for this site is "
+ site.ContentDatabase.Name);
}
});
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Demo: Impersonation
Demo: Impersonation
1. Use SharePoint specific impersonation
2. Use ASP.Net impersonation
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Authentication Models
• Trusted Subsystem - the application (middle tier)
authenticates with fixed identity
– Offers database connection pooling.
– Is less complex.
– The group that owns and manages the back end gives access to
one account that they manage.
• Impersonation and Delegation - the application (middle
tier) impersonates the client and authenticates to backend on client’s behalf
– To enable auditing at the back end.
– If there is per-user authorization at the back end.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Connection String Options: SQL Authentication
• SQL Authentication:
server=training; uid=sa; pwd=Pilot; database=Pilothou1_Site
Advantage: easy to use, no special requirements.
Disadvantage: username and password are clear text
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Connection String Options: Windows Authentication
• Windows Authentication
example:
Integrated Security = SSPI; server=training; database = Pilothou1_Site
Advantage: username and password are not clear text.
Disadvantage: if application runs as a currently logged in user,
that user must have access to DB.
• Windows Authentication with impersonation of the
application pool user
Advantage: uses application pool account to access db.
Disadvantage: no significant disadvantages
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Application Pool Account Impersonation Details
using System.Security.Principal
// revert to self
WindowsImpersonationContext wic =
WindowsIdentity.Impersonate(IntPtr.Zero);
try
{
// perform db operations
}
finally
{
wic.Undo(); // resume impersonating
}
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Demo: Using App Pool Account to Access DB
Demo: Using App Pool Account to Access DB
1. Accessing DB using Windows Authentication and
application pool account
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Links
• How to implement impersonation in ASP.NET
application: http://support.microsoft.com/?id=306158
• ASP.NET Impersonation:
http://msdn.microsoft.com/library/default.asp?url=/library
/en-us/cpguide/html/cpconaspnetimpersonation.asp
• ASP.NET Impersonation
(Designing Distributed Applications with Visual Studio .N
ET)
http://msdn.microsoft.com/library/default.asp?url=/library
/en-us/vsent7/html/vxconimpersonation.asp
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.